Proposed HIPAA Disclosure Rule, Explained

Dom Nicastro, for HealthLeaders Media , June 2, 2011

"Even though Sec. 13405 (c) within HITECH indicates this type of accounting would be a requirement, it's likely this section was overlooked by most CEs and BAs who instead focused on the breach notice section. The Accounting of Disclosures NPRM is a wake-up call for CEs and BAs alike to get this portion of the Security Rule implemented," Herold says. "Once it is implemented, then creating easy-to-understand reports to show these accesses will be a matter of creating or updating existing applications that access ePHI."

EHRs should have tracking capability, but don't. Apgar says one of the key aspects which providers should take note of is making the audit logs "human-readable" for the patient. "This should be a reporting function of the EHR application," Apgar says. "Tracking data elements that are required per the draft rule that are not generated by the EHR (such as with legacy applications) will be very difficult for the covered entity," he said.

Phyllis A. Patrick, MBA, FACHE, CHC, of Phyllis A. Patrick & Associates LLC, in Purchase, NY, says it's clear that the technology "does not exist or is not yet available to most, if not all, providers to be able to respond to these requirements." Any process today is probably more manual than technical and requires personnel time to locate and report the information, and work with the patient to explain what the information includes, Patrick added. "How can providers and business associates align these requirements with patient requests when EHR capability is not there yet?" she asked.

Some relief? Greene, of Davis Wright Tremaine LLP, says one aspect of the proposed rule is a "welcome relief to covered entities." HHS in the rule limits the types of disclosures that are subject to a "full accounting." The preamble states that the full accounting of disclosures will be limited to the types of disclosures that are likely to be of most interest to individuals (such as law enforcement and court proceedings), Greene says, and exempts large categories of disclosures such as those required by law or for research.

Are "access reports" a good thing? "I think it makes good sense to add the new right to an access report," says Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA.

"Many healthcare organizations already provide this voluntarily, and this report, which includes insider access (use, rather than disclosure), is commonly used to identify snoopers."

Concerns over limits to DRSs. Limiting the accounting and access reports to PHI in DRS raise concerns, Borten adds. In the proposed rule, HHS cites the breach notification interim final rule that applies to all PHI in any form regardless of where such information exists. In other words, if there is unauthorized access outside of a DRS, CEs and BAs would theoretically have to report it as a breach.

1 | 2 | 3 | 4

Comments are moderated. Please be patient.

2 comments on "Proposed HIPAA Disclosure Rule, Explained"

Dan Berger (6/9/2011 at 11:37 PM)
In mid-to-late 2012, business associates and their subcontractors will have the same obligations as covered entities under the HIPAA Security Rule [INVALID] and therefore must conduct their own HIPAA security risk assessments. Sue McAndrew, Deputy Director for Health Information Privacy at the Office of Civil Rights (OCR), has called the extension of direct liability to business associates "a sea change" in the regulations.

Kim Corrigan (6/3/2011 at 10:34 AM)
The intent of HIPAA was to protect individuals' health care information. The intent of EMR was to streamline and coordinate care across systems. The concept of disclosure should already have been built into the systems if the true intent was/is to protect the individual. Any other intent would defer on the side of government and/or for-profit health care plans having access and ability to manipulate the delivery of care without an individual's knowledge. Any access/changes/decisions to an individual's health records in any form should be visible to the individual (and any designee) with a look back period of 3 years. If we can see who accessed a credit report, we should certainly be able to see who accessed our health records.




FREE e-Newsletters Join the Council Subscribe to HL magazine


100 Winners Circle Suite 300
Brentwood, TN 37027


About | Advertise | Terms of Use | Privacy Policy | Reprints/Permissions | Contact
© HealthLeaders Media 2015 a division of BLR All rights reserved.